I will start a new topic, where you can share with others problems and the eventual solutions you encounter during your work.

I will start with something very recent. I am working as an analyst, and one of my responsibilities (initiated by myself) is to do vulnerabilities scans, and eventually penetration testing.

It has been few month now since I am asking for permission to install Backtrack, on a VM, in the internal network. This it will help me to do other scans than Nessus, I can use Metasploit, Dradis... you get it.

My boss didn't want to take the responsibility to approve it, so it forwarded my request to a senior architect. Every week I kept asking for an answer. Yesterday he told me that they will not approve it because Backtrack is not supported. I told him that there is no need to support, because being a VM on my laptop, if it breaks, I will restore it or I will install another version. But, he explained that they don't want to approve because I will be the only one in the company that will know how to use it, and if I will leave they will not be able to continue my work.

Imagine my frustration. I studied for so long, I am even doing OSCP paid by them, and now they do not accept it.

I know that there are other options. They will be happy with a commercial distribution, even if it isn't as good as Backtrack. They want something based on Red Hat, but I don’t like the idea.I prefer Backtrack because it is very easy to use, you have all the tools in one place, and it is very easy to update.

Unfortunately this isn't the only initiative denied by him (them) so I am becoming very unhappy at work. I even started to think about leaving.

I don't know which the best solution is, but I am tired to try to be creative and to be denied because he doesn't have an open mind.

alucian wrote:It has been few month now since I am asking for permission to install Backtrack, on a VM, in the internal network. This it will help me to do other scans than Nessus, I can use Metasploit, Dradis... you get it.

My boss didn't want to take the responsibility to approve it, so it forwarded my request to a senior architect. Every week I kept asking for an answer. Yesterday he told me that they will not approve it because Backtrack is not supported.

Reality is... Get over it And I don't mean this in a spiteful/mean manner. You have to take a different approach to the way you're looking at this. Their concerns (managers_ are valid although they may not seem to make sense to you. You asked for an application suite (bunch of tools bundled in one) that you would be the only one capable of running. Even though the tools may be free to use for the most part, there still is the cost of them having to train someone else on using them if you leave.

So while you will see it as: "everything is open source so its easy to use" they will see it from a cost benefit perspective. "What would it cost me to train existing individuals to use this... What would it cost for support when you need someone on the phone RIGHT NOW..."

You were wrong to go over your bosses head 1) because of the chain of command (and no I'm not in the military) and 2) your approach is wrong

When approaching management, you ALWAYS need to remember that business comes first and even though you may have an alternative solution, your presentation was non-existent. To overcome this, you should have shown them some financial benefits to choosing Backtrack versus a pay for play model.

Now what *I WOULD HAVE DONE* is gone out and done the research on say 5 enterprise tools. Put together your own RFI/RFP using those tools and show them the cost benefit of training existing and or new staff to use Backtrack versus the other options.

Each commercial tool has a cost which dwarf the cost of training say 3 employees via OSCP + using Backtrack and other open source tools. Make it a business case for them and be factual with your information. Not biased by "I want to use this.... Well you won't give it to me, I'll ask someone else"

You need to remember that your manager also answers to someone and if you think about this from his perspective, why would he want the headache of trying to understand something - which may be simple to you - or not being able to call a support line and have them fix the issues.

Right now, I love FOSS, I love BSD, Linux, etc., but the reality is, I'd prefer say SAP or MS Office since I can always call and bitch and moan at 3AM without having to spend say 3-4 hours digging out via Google, jumping on IRC, etc.

alucian wrote:Unfortunately this isn't the only initiative denied by him (them) so I am becoming very unhappy at work. I even started to think about leaving.

You need to always remember that a business' objective is to make money. This is their first and primary goal. What you've done is nothing more than offer an opinion without allowing them to understand anything associated with what you want to do. You also confuse creativity and innovations. Your bosses don't need to be creative, they need to meet the goals set for them by THEIR managers. Present it to you boss from a business perspective. What are the costs, what are the risks and what are the benefits.

I've done this for years on end and almost always end up getting my way at the end of the day. HOWEVER (big however here...), I ALWAYS, ALWAYS, ALWAYS put together a good fight. This includes prices, research, what the herd says, etc., this way no one can call it a biased opinion:

Research indicates other similar companies have done X and saved Y amount of money.

I'm not coming down at all, giving you constructive criticism here... All you've done is complained about not getting what you wanted, but you haven't actually fought for what you want now have you

When I started I used a comparable Ubuntu to the latest BT and just added the BT repos because management was leery of BT/Samurai/etc. Not everything works as well as on BT but it mostly works. Sometimes you just have to pick your battles. Now that I'm more of a trusted entity I use whatever OS I wish but it took building trust to get to that point.

Last edited by tturner on Thu Mar 03, 2011 5:08 pm, edited 1 time in total.

I can understand your frustration. I have been through that phase as well. The way I approached the situation was to break all your work into phases. Start with the simplest thing that you know they cannot say no to. Get it working, document it well enough so that they get the confidence that there is now a process where the tool fits in and there is enough documentation for someone else to start using it. Generate reports and show the benefits from the tools/processes you implement.

It takes time and you need to have patience. Eventually you may either get your tools or you may get the budget to buy commercial versions with the support.

I've been going through the same frustrations as you, alucian. I just recently realized what sil mentioned, about making it a business case. I'm still working through the best way to go about doing this with the people I work with - finding what information works best to persuade them in a certain direction (sort of like social engineering a bit, eh? ) - and I'm very appreciative to sil for sharing his experiences in all this!

Man I love reading Sil's posts, always very informative. I feel your pain alucian, thankfully getting tools I need isn't too difficult, most of the time it comes down to cost. Right now we actually have in the budget for a decent vulnerability scanner. The problems I am having is that our current Security officer hasn't done a risk assessment since he has been there, the most current is something like 6 years old. When he does do any reports, he doesn't like to share with us unless we ask him and CC everyone and their mother. It took him 2 months to hand us the pen test we had done. His reason was because he didn't see anything that was high risk on it. Meanwhile we get it and there are a bunch of 10 scores for a number of internal vulnerabilities. Simple stuff to fix, but still, not his call in my opinion. Though if he knew anything beyond what he reads in white papers, then maybe he would have figured it out. So my pain is that we have an ISO that knows nothing about about the network and he's been their longer than me. I've been there less than a year and know more about the network than most of the current staff.

Whoops, turned that into a venting session. Sorry bout that. Here's my next question, why did they pay for training for your OSCP if they don't want you to have the toolkit used to assess the network? Do they plan on allowing you to perform regular pen tests? Or did they have you take the training so you can be more aware of what to look for in the event you are being attacked?

Triban wrote:Whoops, turned that into a venting session. Sorry bout that. Here's my next question, why did they pay for training for your OSCP if they don't want you to have the toolkit used to assess the network? Do they plan on allowing you to perform regular pen tests? Or did they have you take the training so you can be more aware of what to look for in the event you are being attacked?

Hello,

They paid for it because I asked for it, I made a business case, and, most important, because the company has a budget for training and nobody uses it (Peter's principle at it's best).

Now, after months of fighting, we will introduce Backtrack in the internal network, in order to identify the false positives in the Nessus reports.

But I am so fed up with this fighting, I am so upset that I have to beg to do my work, that I am looking for another job. My boss knows it (the HR found my resume on monster) and I told him the real reasons for leaving. He didn't care very much, and he said that I am wrong, and they are right

I will even have an interview for a vulnerability analyst position. Even if I will not be accepted (they are asking more security experience than I have), the good news is that I have the confirmation that I am on the right path, and working my ass and doing a lot of sacrifices to study will pay back. For example, now is Sunday 2.20 pm, and I am at the office because I want to study. I sacrificed a Sunday afternoon with my wife and kids, but I know that someday I will be rewarded for this. (even if my boss tells my that technical skills are not enough, I need to have a positive attitude and to integrate in the company's culture )